CVE-2026-4409 MEDIUM

CVE-2026-4409: Subscribe To Comments Reloaded <= 240119 - Improper Authorization to Unauthenticated Arbitrary Subscription Management

Vendor Wpkube
Product Subscribe To Comments Reloaded
Weakness CWE-200 · Info exposure
Published May 5, 2026
Last update May 5, 2026
View on NVD All CVEs

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

The Subscribe To Comments Reloaded plugin for WordPress is vulnerable to unauthorized modification of data due to a leaked secret key and usage of a weak hash generation algorithm in all versions up to, and including, 240119. This makes it possible for unauthenticated attackers to extract the global key from any public post page, forge authorization keys and manage comment subscription preferences for arbitrary users

Explanation of Vulnerability in Simple Terms

02Summary

Subscribe To Comments Reloaded contains an information exposure vulnerability affecting versions up to 240119. An unauthenticated attacker can read sensitive data over the network without user interaction. The vulnerability allows exposure of confidential information and potential data modification. Site administrators should update to a version newer than the affected range.

What an attacker can do

03Attacker Capabilities

Read sensitive data and potentially modify information without authentication.

Potential impact on your site

04Site Impact

Subscriber data and site information may be exposed to unauthorized parties.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

May 5, 2026 CVE published
May 5, 2026 Record updated